[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Cisco VPNClient does not work with SELinux enabled in FC4

yukku yukkoooooo wrote:
I am running on FC4 and I installed Cisco VPN client software, however when I run vpnclient I am getting the error message :
"vpnclient: error while loading shared libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc: Permission denied"
This is strange.

Have you tried

chcon -t textrel_shlib_t /opt/cisco-vpnclient/lib/libvpnapi.so
Friendly neighbourhood Paul Howarth correctly guessed it to be related to SELinux.
I am able to run the vpnclient by disabling the SELinux using
setenforce 0
The chcon command did not work (apparently it is not supposed to work in FC4) I get a error message "type=AVC msg=audit(1147460693.437:11955217): avc: denied { execmod } "
if I disable selinux and run the vpnclient command.
> Paul Howarth wrote :
> > The memory checks are present in FC4 but disabled by default. It > > appears
> > that they have somehow been enabled on your system.
This should fix it:
> > # setsebool -P allow_execmod 1
> > I gave this command and it still does not work with
> SELinux. So digged a littlebit and gave the command
> # getsebool -a | less
> and I got a long output of which I took the ones that might
> make sense to you -
> allow_execmem --> active
> allow_execmod --> active
> allow_execstack --> active
> allow_kerberos --> active
> allow_write_xshm --> active
> allow_ypbind --> active
>> There's something very weird going on there. allow_execmod should do
>> what it says. I'd try asking about this on fedora-selinux-list,

setsebool with execmod is not working either.
I have attached the relevant files as well. Any ideas ?
This should give you an idea of the SELinux version
> selinux-doc-1.19.5-1.noarch.rpm
> selinux-policy-targeted-1.23.16-6.noarch.rpm

Newbie Yukku

New Yahoo! Messenger with Voice. Call regular phones from your PC <http://us.rd.yahoo.com/mail_us/taglines/postman5/*http://us.rd.yahoo.com/evt=39666/*http://messenger.yahoo.com> and save big.

type=SYSCALL msg=audit(1147715609.949:3621791): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bfc7b7b8 a2=1 a3=bfc7b7b8 items=0 pid=4330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="setenforce" exe="/usr/sbin/setenforce"
type=AVC msg=audit(1147715609.949:3621791): avc:  granted  { setenforce } for  pid=4330 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security
type=AVC_PATH msg=audit(1147715612.195:3634219):  path="/opt/cisco-vpnclient/lib/libvpnapi.so"
type=SYSCALL msg=audit(1147715612.195:3634219): arch=40000003 syscall=125 per=400000 success=yes exit=0 a0=9be000 a1=41000 a2=5 a3=bfd74540 items=0 pid=4332 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="vpnclient" exe="/opt/cisco-vpnclient/bin/vpnclient"
type=AVC msg=audit(1147715612.195:3634219): avc:  denied  { execmod } for  pid=4332 comm="vpnclient" name=libvpnapi.so dev=hda3 ino=32474 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 19
Policy from config file:        targeted

Policy booleans:
NetworkManager_disable_trans    inactive
allow_execmem                   active
allow_execmod                   active
allow_execstack                 active
allow_kerberos                  active
allow_write_xshm                inactive
allow_ypbind                    inactive
apmd_disable_trans              inactive
arpwatch_disable_trans          inactive
auditd_disable_trans            inactive
bluetooth_disable_trans         inactive
canna_disable_trans             inactive
cardmgr_disable_trans           inactive
comsat_disable_trans            inactive
cupsd_config_disable_trans      inactive
cupsd_disable_trans             inactive
cvs_disable_trans               inactive
cyrus_disable_trans             inactive
dbskkd_disable_trans            inactive
dhcpc_disable_trans             inactive
dhcpd_disable_trans             inactive
dovecot_disable_trans           inactive
fingerd_disable_trans           inactive
ftp_home_dir                    active
ftpd_disable_trans              inactive
ftpd_is_daemon                  active
hald_disable_trans              inactive
hotplug_disable_trans           inactive
howl_disable_trans              inactive
httpd_builtin_scripting         active
httpd_can_network_connect       inactive
httpd_disable_trans             inactive
httpd_enable_cgi                active
httpd_enable_homedirs           active
httpd_ssi_exec                  active
httpd_suexec_disable_trans      inactive
httpd_tty_comm                  inactive
httpd_unified                   active
i18n_input_disable_trans        inactive
inetd_child_disable_trans       inactive
inetd_disable_trans             inactive
innd_disable_trans              inactive
kadmind_disable_trans           inactive
klogd_disable_trans             inactive
krb5kdc_disable_trans           inactive
ktalkd_disable_trans            inactive
lpd_disable_trans               inactive
mysqld_disable_trans            inactive
named_disable_trans             inactive
named_write_master_zones        inactive
nfs_export_all_ro               active
nfs_export_all_rw               active
nmbd_disable_trans              inactive
nscd_disable_trans              inactive
ntpd_disable_trans              inactive
portmap_disable_trans           inactive
postgresql_disable_trans        inactive
pppd_disable_trans              inactive
pppd_for_user                   inactive
privoxy_disable_trans           inactive
ptal_disable_trans              inactive
radiusd_disable_trans           inactive
radvd_disable_trans             inactive
read_default_t                  active
rlogind_disable_trans           inactive
rsync_disable_trans             inactive
samba_enable_home_dirs          inactive
saslauthd_disable_trans         inactive
slapd_disable_trans             inactive
smbd_disable_trans              inactive
snmpd_disable_trans             inactive
squid_connect_any               inactive
squid_disable_trans             inactive
stunnel_disable_trans           inactive
stunnel_is_daemon               inactive
syslogd_disable_trans           inactive
system_dbusd_disable_trans      inactive
telnetd_disable_trans           inactive
tftpd_disable_trans             inactive
udev_disable_trans              inactive
use_nfs_home_dirs               inactive
use_samba_home_dirs             inactive
uucpd_disable_trans             inactive
winbind_disable_trans           inactive
ypbind_disable_trans            inactive
ypserv_disable_trans            inactive
zebra_disable_trans             inactive

fedora-selinux-list mailing list
fedora-selinux-list redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]